I've extended my Active Directory Schema with the sfusch.exe tool from
Microsoft Services for UNIX 3.5. I'm currently running Windows Server
2003 SP1.

When I try to set the UNIX attributes for a user in "Active Directory
Users and Computers" I receive the following message:

"Duplicate UID

Assign a uniqueUID"

I have verfied the ID I'm trying to set (10000) is unique. In fact
there are not currently any users with a defined UID. I verified that
by performing a custom search from the domain base with this query:

(objectCategory=user)(msSFU30UidNumber=*)

If I try to set a GID for an Active Directory group I receive a
similiar error:

"Duplicate GID

Assign a unique GID"

I can pragmatically set the UNIX attributes for a user using a script.
After setting these values, I can view them in Active Directory Users
and Computers but I can't modify anything.

I performed an wiredump to see what LDAP calls nisprop.dll was trying
to make. Here's what I've seen after I hit the "OK" or "Apply" button
in ADUC:

LDAP Search:
Base: DN=DC=domain,DC=com
Filter:
(&(objectCategory=users)(msSFU30NisDomain=domain)(msSFU30UidNumber=10000)(! (cn=username)))
Attribute: msSFU30UidNumber

LDAP Search Result:
Result Code: 0x00 (Success)
Matched DN: (null)
Error Message: (null)
Result Reference: ldap://domain.com/CN=Configuration,DC=domain,DC=com
Result Reference:
ldap://DomainDnsZones.domain.com/DC=DomainDnsZones,DC=domain,DC=com
Result Reference:
ldap://ForestDNSZones.domain.com/DC=ForestDNSZones.,DC=domain,DC=com

LDAP Search:
Base: DN=CN=Configuration,DC=domain,DC=com
Filter:
(&(objectCategory=users)(msSFU30NisDomain=domain)(msSFU30UidNumber=10000)(! (cn=username)))
Attribute: msSFU30UidNumber

LDAP Search Result:
Result Code: 0x00 (Success)
Matched DN: (null)
Error Message: (null)
Result Reference:
ldap://domain.com/CN=Schema,CN=Configuration,DC=domain,DC=com

LDAP Search:
Base: DN=CN=Schema,CN=Configuration,DC=domain,DC=com
Filter:
(&(objectCategory=users)(msSFU30NisDomain=domain)(msSFU30UidNumber=10000)(! (cn=username)))
Attribute: msSFU30UidNumber

LDAP Search Result:
Result Code: 0x00 (Success)
Matched DN: (null)
Error Message: (null)

At this point the conversation stops and the "Duplicate" error message
is displayed. It seems that the process is trying to verify the user
has a unique ID and though no search results are returned it is
erroneously marking this as a dupliacte.

Any thoughts or comments would be appreciated.

Walt Howd

Walt Howd * Network Administrator * SunGard * Higher Education * 100
East Normal Street, Kirksville, MO 63501 * Tel 660-785-7394 * Mobile
660-349-8076 * Fax 660-785-7632 * wh...@truman.edu

I've exported my OUs and users from my production environment to a test
environment and re-tested assigning unix attributes using the
nisprop.dll Active Directory Users and Computers snapin.

Under the test environment it works without a problem.

One thing I've noticed: In my production environment the Schema OU (the
last search base for the ldap query before nisprop.dll complains of
duplicate entries) has over 1000 objects. I believe a majority of these
are from installing Exchange. In my test environment I do not have any
other products installed that have modified the AD Schema.

I know that Active Directory uses paged results and the default max
query size is 1000 objects. Is it possible that the nisprop.dll is not
correctly handling a paged result search set?

Technically the result set of this last query should be "0" or null
which wouldn't require a paged result set. However I'm at a lost to
explain why the last query is in the Schema OU before the incorrect
"duplicate" message is displayed.

Walt Howd * Network Administrator * SunGard * Higher Education * 100
East Normal Street, Kirksville, MO 63501 * Tel 660-785-7394 * Mobile
660-349-8076 * Fax 660-785-7632 * wh...@truman.edu